WTF, EFS? Experts warn Windows encryption could spawn nasty new ransomware

WTF, EFS? Experts warn Windows encryption could spawn nasty new ransomware

Redmond's own security tools could be abused to create hard-to-scrub infections

The encryption technology Microsoft uses to protect its own file system could also be turned into a weapon for ransomware attackers.

So says the research team at Safebreach Labs, which has demonstrated how ransomware based on the Windows Encrypting File System could prove difficult for anti-malware tools to spot and block.

Safebreach veep of research Amit Klein and his team wrote a proof-of-concept attack that uses EFS combined with an attacker-generated key (from the ransomware infection) to force a PC to encrypt its own data. The keys are then flushed from the PC's memory, leaving the attacker with the sole means for decrypting information.

The benefit of this, explained Klein, is an attack that is not only hard to spot and decode, but can also be more easily automated, executed without administrator clearance, and spread more easily than conventional ransomware infections.

"We put three anti-ransomware solutions from well-known vendors [ESET, Kaspersky, Microsoft] to the test against our EFS ransomware," Klein wrote. "All three solutions failed to protect against this threat."

While EFS has been used by malware writers in the past to conceal their attacks from security tools, SafeBreach believes this is the first time a tech encryption tool has been shown to be of use for ransomware attacks.

SafeBreach said that, prior to publishing the report, it had been in contact with 17 of the larger anti-ransomware tool developers to provide an advance notice and get detection for EFS malware added.

Admins can also manually disable EFS via registry key settings, or use a experts windows encryption could spawn nasty ransomware